Tuesday, January 23, 2007

ChicagoLUG.org single sign-on

For a while we've talked about implementing a single sign-on for the services on chicagolug.org. Here are some notes I jotted down about how to do this.

Services:
  • Mediawiki
  • phpBB
  • mailinglist?
Interface:
The user logs in to a customized form. Upon proper authentication with the LDAP database, the web application sets the login cookie(s?) for the various services. Clicking "Logout" on any one of the services logs the user out of all services.

Possible complications:
  • Mediawiki uses user id numbers as well as usernames. phpBB may do this as well.
  • phpBB (or others) may also need to set session ids in a database - potentially a problem if this expires based on user activity - can we remove this?
  • Mediawiki's database structure for user profile options is a minor headache
  • Where does the mailinglist store user information?

Possible implementations:
  • Create an application to set the proper cookies for each service (more complicated; not a very elegant solution)
  • Hack the existing services to handle a single "logged on" cookie. (more elegant, but potentially less secure. If there is a security flaw in our implementation this might render other services vulnerable. Also if there is any future upstream security vulnerabilities in one service it might affect other services.)
  • Note: Either of these will require carefully analyzing the implementations of the authentication mechanisms for each service. If we need to upgrade a service, we will have to carefully track what changes are made so that they can be "patched" into future versions. (Example: Let's say that we install version X of Mediawiki. If version X is later found to have a cross-site scripting vulnerability, we will need to upgrade to version Y, but we also need to make sure our customizations fit into version Y.)

Questions:
To what degree should the individual services' profile databases be merged into the LDAP database? One of the cool parts of this will be the ability to sync email address changes, etc. but is this going to be viable with every service, everywhere? Will we need to create a "single profile editor" in addition to the single-sign on? It'd be cool, just more work :) Basically we need to decide whether the LDAP will handle authentication only (just username/password) or an email address, or even other profile information.

Things to store in LDAP
  • Username
  • Password

Possible things to store in LDAP:
  • Email (confirmed?)
  • Group membership for each service (Admin, Moderator, etc.)
  • phpBB variables (id number?, signature, avatar, website, etc)
  • mediawiki variables (watchlist, etc.)
  • mailinglist variables (subscriptions, active/inactive, digest, etc.)

I don't have much experience with LDAP; in fact I've only briefly played around with PHP's LDAP functions. I guess I'll learn more if this project ever gets off the ground :)

No comments: